Fake WhatsApp API Package on npm Steals Messages, Contacts, and Login Tokens
24.12.2025
4359
A malicious npm package posing as a WhatsApp API intercepts messages, steals credentials, and links attacker devices after 56,000 downloads.
π¨ SUPPLY CHAIN ATTACK ALERT: Fake WhatsApp API on npm is straight-up stealing your data
Yikes. A malicious npm package disguised as a WhatsApp API has been caught intercepting messages, stealing login tokens, and even linking attacker devices to victims' WhatsApp accounts. This isn't just some theoretical threat β it's already been downloaded 56,000 times before getting caught.
Here's what this sneaky package does once installed:
- β’ Intercepts all WhatsApp messages (incoming AND outgoing)
- β’ Steals your contact list
- β’ Grabs your login tokens and credentials
- β’ Links attacker devices to your WhatsApp account
- β’ Exfiltrates all this data to attacker-controlled servers
This is classic supply chain attack behavior β hiding malicious code in legitimate-looking packages that developers trust. The package was cleverly named to look like a real WhatsApp API wrapper, making it easy for devs to accidentally include it in their projects.
The scary part? This isn't isolated. Security researchers have been warning about npm package vulnerabilities for years, but this shows how sophisticated these attacks have become. With 56,000 downloads before detection, the damage could be massive.
If you're a dev working with WhatsApp integrations, triple-check your dependencies. This is why security audits and package verification aren't just 'nice-to-haves' β they're essential armor in today's development landscape.
A malicious npm package posing as a WhatsApp API intercepts messages, steals credentials, and links attacker devices after 56,000 downloads.
#npm packages#WhatsApp malware#supply chain attacks#malware#fake npm packages
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
